Within 24 hours of purchasing my first cPanel/whm license to begin my webhosting adventure, I was of course, hacked. :-/ Oh well, gotta learn, backups are good 
I 03/06/2021, my server showed symptoms of being hacked. In my rkhunter.log file I have the following warning:
Warning: Changes found in the passwd file for user 'username':
[03:47:48] The login shell has changed from '/usr/local/cpanel/bin/jailshell' to '/bin/bash'
This warning came just after, I imported my cpanel backup from hostgator, which was "infected to gills" when I used the cpanel "virus scan to get rid of all the nastiness.
I assume that this was a malicious file change. Question: what is the best method of undoing this change? ( I used yum reinstall passwd. Just verifying that I am correct)
At the same time, I received a warning that /usr/local/cpanel/bin/jail_safe_passwd had been changed as well. The sha256sum that I currently have is:
73cfe7fd96f2a266c6d68c414ba5128558282f2735c57280b3380ca2b1422961
Is there a repository of the cpanel checksums that I can readily access from the web as to do my own comparisons?
If the above hash is not correct.. How do I replace the file with the correct file?
Other symptoms of the hack are / was as follows:
url spoofing (tried to spoof me to extort bitcoin, funny). In my DNS Zone Manager, I found added SPF entries containing:
"v=spf1 include:spf.mailgun.com +a +mx +ip-MYIP- +ip4:108.167.157.86 +ip4:199.250.207.223 ~all"
Question: I also saw / see many different DKIM records. Is it safe / best practice to delete all of domain keys that I don't recognize? (meaning, will I break something if I delete all of the domain keys, -EXCEPT- the domain key from mailgun that I recognize?
(I have since enable dnssec entries / transfer protections with my registrar.. and blocked the two ip addresses via csf)
Quite annoyingly, I started get rapid fire email alerts from cpanel monitoring, without any body information, just a subject line:
[hostname] FAILED
: cpanel-ccs (MYIP)
So I, temporarily disabled the email alerts (enabled now), and ran # maldet -a found and cleaned:
LMD GNU nano 2.3.1 File: /usr/local/maldetect/sess/session.210309-0732.621
HOST: hostname
SCAN ID: 210309-0732.621
STARTED: Mar 9 2021 07:32:21 +0800
COMPLETED: Mar 9 2021 08:39:02 +0800
FILE HIT LIST:
{HEX}php.base64.inject.180 : /home/user/logs/modsec2_user_Mar_2021.gz
===============================================
Linux Malware Detect v1.6.4 < [email protected] >
And, the the deluge of warning emails from cpanel monitoring all stopped.
I also follow the instructions here for cleaning up infected websites.
- I had 2 outdated wp sites and two old drupal sites. I updated and change passwords for the wp sites and outright deleted the drupal sites since I keep clean offline backups of sites.
- I don't have any ftp accounts beyond the special accounts.
Finally, I went through and changed all of my passwords (cpanel, emails, etc.)
Are there any other best practices and/or guides for responses to an intrusion on your server that I should know?
I 03/06/2021, my server showed symptoms of being hacked. In my rkhunter.log file I have the following warning:
Warning: Changes found in the passwd file for user 'username':
[03:47:48] The login shell has changed from '/usr/local/cpanel/bin/jailshell' to '/bin/bash'
This warning came just after, I imported my cpanel backup from hostgator, which was "infected to gills" when I used the cpanel "virus scan to get rid of all the nastiness.
I assume that this was a malicious file change. Question: what is the best method of undoing this change? ( I used yum reinstall passwd. Just verifying that I am correct)
At the same time, I received a warning that /usr/local/cpanel/bin/jail_safe_passwd had been changed as well. The sha256sum that I currently have is:
73cfe7fd96f2a266c6d68c414ba5128558282f2735c57280b3380ca2b1422961
Is there a repository of the cpanel checksums that I can readily access from the web as to do my own comparisons?
If the above hash is not correct.. How do I replace the file with the correct file?
Other symptoms of the hack are / was as follows:
url spoofing (tried to spoof me to extort bitcoin, funny). In my DNS Zone Manager, I found added SPF entries containing:
"v=spf1 include:spf.mailgun.com +a +mx +ip-MYIP- +ip4:108.167.157.86 +ip4:199.250.207.223 ~all"
Question: I also saw / see many different DKIM records. Is it safe / best practice to delete all of domain keys that I don't recognize? (meaning, will I break something if I delete all of the domain keys, -EXCEPT- the domain key from mailgun that I recognize?
(I have since enable dnssec entries / transfer protections with my registrar.. and blocked the two ip addresses via csf)
Quite annoyingly, I started get rapid fire email alerts from cpanel monitoring, without any body information, just a subject line:
[hostname] FAILED

So I, temporarily disabled the email alerts (enabled now), and ran # maldet -a found and cleaned:
LMD GNU nano 2.3.1 File: /usr/local/maldetect/sess/session.210309-0732.621
HOST: hostname
SCAN ID: 210309-0732.621
STARTED: Mar 9 2021 07:32:21 +0800
COMPLETED: Mar 9 2021 08:39:02 +0800
FILE HIT LIST:
{HEX}php.base64.inject.180 : /home/user/logs/modsec2_user_Mar_2021.gz
===============================================
Linux Malware Detect v1.6.4 < [email protected] >
And, the the deluge of warning emails from cpanel monitoring all stopped.
I also follow the instructions here for cleaning up infected websites.
- I had 2 outdated wp sites and two old drupal sites. I updated and change passwords for the wp sites and outright deleted the drupal sites since I keep clean offline backups of sites.
- I don't have any ftp accounts beyond the special accounts.
Finally, I went through and changed all of my passwords (cpanel, emails, etc.)
Are there any other best practices and/or guides for responses to an intrusion on your server that I should know?
Last edited by a moderator: